[Snort-devel] Content across multiple packets Not detected by Snort

Martin Roesch roesch at ...402...
Tue Apr 27 05:22:01 EDT 2004


This rule picks it up on my machine:

alert tcp any any -> any 3131 (content: "trinity at ...2502..."; msg: 
"Trinity detected";)

Here's the command line I used:

snort -c trinity.rule -r ~/Desktop/packets.pcap -l ./log -A console -N  
-k none

Try that and let me know how it works.

      -Marty

On Apr 27, 2004, at 7:42 AM, Dennis George wrote:

> Oh I am extremly Sorry for that... But in this test case I am 
> searching for trinity at ...2501...
>  
> Sorry I didn't mention that......
>  
> Dennis
>
> Paul Tinsley <jackhammer at ...2499...> wrote:
> Now I may be missing something but looking at your pcap file, there is
> nothing in there to trigger the rule... Here is the ascii content
> between the hosts for the 3131 connection:
> Wow, over a year since the laslability, take
> a loi trinity at ...2502... Welcome
> .nort but are interested in a
> * Major tagging updally supported version with
> ent==============================
>
>
> You are searching for Hello World, that pcap file shouldn't trigger an 
> alert.
>
> Thanks,
> Paul Tinsley
>
>
> ----- Original Message -----
> From: Dennis George
>  Date: Mon, 26 Apr 2004 22:42:23 -0700 (PDT)
> Subject: Re: [Snort-devel] Content across multiple packets Not 
> detected by Snort
> To: snort-devel at lists.sourceforge.net
> Cc: Martin Roesch
>
>
>
>
>  Hi Marty,
>
>
> Here with this mail I am sending the pcaps of my traffic.... It
> contains other traffic also. I am testing snort by creating a server
> client program... My server is listening to port no 3131 and the
> client is sending data to the same port (3131). So check for the 3131
> port in the pcaps.
>
>
> Thanks and regards
>
>
> Dennis
>
> Martin Roesch wrote:
>
> No, I meant do you have binary packet capture files (pcaps) of the
>  traffic that you're having trouble with? To generate them simply, run
>  'tcpdump -w packets.pcap' and run your traffic, that should record the
>  traffic and put it in a format that can be played back through Snort.
>
> -Marty
>
>
>
> ________________________________
> Do you Yahoo!?
> Win a $20,000 Career Makeover at Yahoo! HotJobs
>
> Do you Yahoo!?
> Win a $20,000 Career Makeover at Yahoo! HotJobs
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-devel mailing list